Wireless local area networks (WLANs) are not like wired ones – data is highly vulnerable in its silent transit through the air. All that is needed is the right utility to find the radio signal, interpret the data stream in much the same way as would any other network interface, and direct the intruder to useful bits of plain text information. Using an unsecured wirless link is the technological equivalent of leaving confidential documents lying around in the street.

Never underestimate what is worth stealing. There can’t be a single wireless network that doesn’t send emails, invoices and online banking log-ins from time to time (albeit that those are supposed to use https encryption), so there can’t, by definition, be a wireless network that somehow doesn’t need securing.

The topic is a big one, but here are a few basic pointers for using “informal” (ie non-corporate) wireless networking.

Stage one - secure the access point
Of their nature, wireless access points advertise themselves publicly, using what is called an SSID (service set identifier), so they will be noticed very quickly. The first task with any mass-market router/access point is to change this name from the default, which is usually just the name of the company that made it. This doesn’t make it any more secure as such but it does at least stop the administrator from looking like a naïve who has deliberately set out to attract the wrong types to his or her WLAN.

The SSID broadcast can be turned off, and while this stops it being so obviously noticed it doesn’t stop it being hacked once its presence is discovered through other means. The SSID is sent in clear text during setup so it can be divined pretty easily, as can the brand name, using any one of a number of tools.

It’s worth pointing out, incidentally, that the current generation of MIMO (multi-in, multi-out) routers claims to be able to project the radio signal over greater distances than conventional wireless appliances, in a swoop increasing the range from which attackers can detect the access point and strike. How far? In the worst case scenario – without too many metal, concrete or brick obstructions - assume up to a couple of hundred feet, double that or more if outdoors.

Immediately change the default password (which is often just the word “password”), preferably using a random alpha-numeric password generator, making it as long as possible. Change it once a month, or more if you’re paranoid. The user name is usually set.

Depending on the design, it is usually possible to specify which computers or devices can access the WLAN access point by white-listing hardware MAC addresses. Just turn on all the PCs that will be using the wireless network, and include them in list of acceptable machines using the access point’s configuration utility once each has been positively identified. This is not foolproof but it offers a useful layer of protection from casual intrusion if you’re not setting up the WLAN for more than a handful of clients.

If the router supports it, disable remote administration unless this is really needed. Finally, if the wireless access point in question is also a router, turn off DHCP. This dishes out IP addresses to devices on a first come-first-serve basis, and disabling this feature is one away of making connecting to the router more difficult. This means enabling static IP addresses for each device, of course, something that might become a hassle of more than a handful are being supported, or if the AP is being used for informal access. Note that the router will default to an IP address of something like192.168.1.0, or 192.168.0.1, or suchlike. This could be changed to a different subnet.

In part two of this article: the importance of using client encryption, authentication, and using low-cost authentication services.